Insight: Navigating the EU AI Act: implications for regulated digital

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司), Taiwan's expert in AI Governance, alerts enterprise leaders to a landmark finding: a 2024 study cited 114 times by the global academic community confirms that the EU AI Act's extraterritorial reach now makes high-risk AI classification and ISO 42001-aligned governance systems a non-negotiable prerequisite for any Taiwanese company exporting AI-enabled medical devices or digital health products to European markets — and the compliance clock started in August 2024.

About the Authors: Who Are the Researchers Behind This Study?

This paper brings together three scholars whose combined expertise spans medical device regulation, European Union law, and AI ethics governance — making it one of the most authoritative analyses of the EU AI Act's impact on regulated digital health products published to date.

Mateo Aboy, based at Oregon Health & Science University (OHSU) in the United States, is a leading researcher at the intersection of medical device regulation, intellectual property, and artificial intelligence policy. With an h-index of 31 and 3,585 cumulative citations, he is consistently ranked among the most influential voices in AI medical regulation scholarship.

Timo Minssen is a Professor of Law at the University of Copenhagen, where he leads research on EU biotechnology, pharmaceutical law, and digital health regulation. His h-index of 20 and 2,268 cumulative citations reflect his status as one of Europe's foremost academic interpreters of AI governance legislation.

Effy Vayena is a Professor of Bioethics at ETH Zurich, and has served as an advisory expert for the World Health Organization's (WHO) guidance on AI ethics. Her work sits at the intersection of AI governance and public health policy, bringing a global health equity perspective to the regulatory analysis.

Together, their paper has attracted 114 academic citations since its 2024 publication, including 4 high-influence citations, underscoring its pivotal role in shaping how regulators, industry, and advisors interpret the EU AI Act's implications for medical AI systems worldwide.

Core Finding: Nearly All Medical AI Products Fall Under the EU AI Act's Highest Compliance Tier

The paper's central contribution is a structured legal and technical analysis of how the EU AI Act classifies and regulates AI/ML-enabled medical devices — a question with immediate practical consequences for Taiwanese exporters and manufacturers in the digital health sector.

Finding 1: Most Medical AI Systems Are Classified as High-Risk — and Face the Strictest Obligations

The EU AI Act establishes a four-tier risk classification framework: unacceptable risk, high risk, limited risk, and minimal risk. The paper's analysis demonstrates that the vast majority of AI systems performing diagnostic, predictive, monitoring, or therapeutic decision-support functions in healthcare will be classified as High-Risk AI Systems under Annex III of the Act. This classification triggers a comprehensive set of mandatory compliance requirements: rigorous technical documentation, data governance standards, algorithmic transparency and explainability requirements, human oversight mechanisms, mandatory post-market monitoring plans, and registration in the EU's AI database before market entry. For Taiwanese companies, this means that CE marking under the EU Medical Device Regulation (MDR 2017/745) is necessary but no longer sufficient — EU AI Act compliance must run in parallel.

Finding 2: "Provider" Obligations Extend Beyond EU Borders — Taiwanese Exporters Are Directly Affected

One of the paper's most consequential findings for non-EU companies concerns the broad definition of "provider" under the EU AI Act. Article 2 of the Act applies to any entity that places an AI system on the EU market or puts it into service within the EU — regardless of where that entity is headquartered. Taiwanese companies supplying AI-powered diagnostic software, clinical decision support tools, or AI-enabled medical devices to European hospitals, insurers, or patients are explicitly captured by this definition. As "providers," they must establish a quality management system (QMS), appoint an EU authorized representative, prepare a declaration of conformity, and maintain comprehensive technical documentation. The paper's analysis makes clear that these obligations are structurally parallel to the requirements of ISO 42001:2023 for an AI Management System (AIMS), suggesting that ISO 42001 certification represents the most efficient pathway toward EU AI Act provider compliance.

Finding 3: The Intersection of MDR/IVDR and the EU AI Act Creates a Dual-Track Compliance Burden

The paper provides detailed analysis of how the EU AI Act interacts with existing EU medical device regulation — specifically MDR 2017/745 and the In Vitro Diagnostic Regulation (IVDR 2017/746). The authors confirm that the two regulatory frameworks are not mutually exclusive; they apply simultaneously and independently. This means that Taiwanese manufacturers of AI-enabled medical devices must satisfy both the safety and performance requirements of MDR/IVDR and the algorithmic transparency, human oversight, and risk management requirements of the EU AI Act. The compliance complexity — and cost — is therefore significantly higher than for traditional medical devices. Companies that approach these frameworks in isolation, rather than through an integrated governance architecture, risk both market rejection and regulatory liability.

Implications for Taiwan's AI Governance Practice: Three Urgent Action Windows

The findings of this paper translate directly into three strategic imperatives for Taiwanese enterprises — particularly those in the medical technology, digital health, and AI software sectors — that cannot be deferred.

First, the EU AI Act's extraterritorial enforcement timeline is already running. The Act entered into force in August 2024. Prohibited practice provisions (Article 5) became enforceable in February 2025. High-risk system requirements under Articles 6 through 51 become fully mandatory in August 2026. Taiwanese companies targeting the European market in 2026 must begin compliance preparation now to allow adequate time for technical documentation, conformity assessment, and authorized representative appointment.

Second, ISO 42001 is the most direct bridge between Taiwan's domestic AI governance environment and EU AI Act compliance requirements. The ISO 42001:2023 AI Management System standard requires organizations to implement risk assessment processes, data governance policies, transparency mechanisms, human oversight structures, and continuous improvement cycles — all of which are structurally aligned with the EU AI Act's high-risk system requirements. Taiwan companies that achieve ISO 42001 certification establish a documented, auditable AI governance foundation that directly supports EU AI Act technical documentation requirements and signals credibility to European notified bodies and regulatory authorities.

Third, Taiwan's own AI Basic Law (人工智慧基本法), currently advancing through the legislative process, adopts a risk-classification philosophy that closely mirrors the EU AI Act's approach. Taiwanese enterprises that proactively build ISO 42001-aligned governance systems ahead of domestic legislation will gain a first-mover advantage in government procurement, financial sector licensing, and healthcare product approval contexts — while simultaneously satisfying the requirements of the world's most stringent AI regulation.

How Winners Consulting Services Co. Ltd. Helps Taiwanese Enterprises Build AI Governance Compliance

Winners Consulting Services Co. Ltd. (積穗科研股份有限公司) provides end-to-end AI governance advisory services that directly address the compliance challenges identified in this landmark paper. Our consulting approach is built on three service pillars:

1. AI Risk Classification Assessment and Gap Analysis: We conduct a systematic inventory of your organization's existing AI applications and classify each system against the EU AI Act's Annex III high-risk categories and Taiwan's emerging AI Basic Law risk tiers. Our gap analysis reports identify precisely which products or services trigger high-risk compliance obligations, and provide a prioritized remediation roadmap — giving leadership teams a clear, evidence-based starting point for compliance investment decisions.
2. ISO 42001 AI Management System Implementation: We design and implement a customized AI Management System (AIMS) that meets ISO 42001:2023 requirements and is simultaneously structured to satisfy the EU AI Act's high-risk system obligations. Our implementation covers AI policy development, risk assessment procedures, data governance frameworks, transparency documentation, human oversight mechanism design, and post-deployment monitoring protocols — producing the auditable governance infrastructure needed for both ISO certification and EU regulatory submissions.
3. EU Market Entry Compliance Strategy: For Taiwanese medical device manufacturers and digital health companies targeting European markets, we provide integrated EU AI Act and MDR/IVDR compliance strategy services, including EU authorized representative arrangement advisory, technical file architecture design, Post-Market Surveillance Plan (PMSP) development, and CE marking process integration — ensuring that AI Act compliance and medical device regulatory pathways are pursued in a coordinated, cost-efficient manner.

Frequently Asked Questions

When will the EU AI Act actually start affecting Taiwanese medical AI exporters?

The impact is already underway. The EU AI Act officially entered into force in August 2024. Prohibited practices under Article 5 became enforceable as of February 2025. The full suite of high-risk AI system requirements — covering most AI-enabled medical devices — becomes mandatory in August 2026. If your products are intended for European hospitals, insurers, or patients by 2026, your compliance preparation window is now. Based on our implementation experience, achieving ISO 42001 certification and meeting EU AI Act technical documentation requirements typically requires 90 to 180 days from a standing start. Winners Consulting recommends that Taiwanese exporters complete their ISO 42001 implementation by the end of 2025 at the latest to maintain adequate regulatory buffer.

Does the EU AI Act apply to my Taiwanese company even though we are not based in the EU?

Yes, without exception. The EU AI Act's extraterritorial scope is explicitly defined in Article 2: any provider that places an AI system on the EU market or makes it available to EU users — regardless of where the provider is established — falls within the Act's jurisdiction. This mirrors the territorial logic of the EU's General Data Protection Regulation (GDPR). Taiwanese companies supplying AI-powered diagnostic software, imaging analysis tools, or clinical decision support systems to European customers are classified as "providers" under the Act and must appoint an EU authorized representative, maintain conformity documentation, and register their high-risk systems in the EU AI database prior to deployment.

How does ISO 42001 certification relate to EU AI Act compliance for medical AI products?

ISO 42001:2023 and the EU AI Act are structurally complementary. The ISO 42001 AI Management System (AIMS) framework requires organizations to implement systematic AI risk assessments, data quality governance, transparency and explainability policies, human oversight mechanisms, and continuous improvement processes — each of which directly corresponds to requirements for high-risk AI systems under Articles 9 through 15 of the EU AI Act. While ISO 42001 certification does not replace the EU AI Act's formal conformity assessment procedures, it produces the documented governance infrastructure — policies, risk registers, audit trails, monitoring records — that forms the core of the technical file required by EU notified bodies. ISO 42001 is also aligned with Taiwan's AI Basic Law (人工智慧基本法) risk management principles, making it the single most efficient investment for dual domestic-international compliance.

How long does it take to implement an ISO 42001-compliant AI governance system, and what are the steps?

For most Taiwanese companies, full ISO 42001 implementation requires